Cisco ASA No Debug Output?
KB ID 0001477 Problem I see this get asked in forums A LOT, typically the poster has another problem they are trying to fix, someone has asked them to debug the problem and they cant see any debug output. Solution Firstly you need to understand what logging is, and how debugging fits within it. (Bear with me, this is good knowledge to have). The firewall saves logs in syslog format, and there are 8 Levels of logs, the one with the...
Cisco AnyConnect With Server 2016 NPAS (RADIUS) Different Groups
KB ID 0001474 Problem A few years ago I replaced a firewall that was setup like this, and while it took me a while to work out what was going on, I remember thinking it was an elegant solution. Fast forward to today, and I’m now working with the guy who set it up! (Kudos to Paul White). So when I had a client with a similar requirement, I sat down fired up the lab, and documented it. What was used; Windows 10 Remote Client...
Unable to Access ASDM – “Unable to launch device manager from…”
KB ID 0000915 Problem A colleague of mine was trying to connect to a firewall via ASDM last week, and was greeted by an error like this. Now this is a pretty standard error, and usually means you haven’t been allowed access, or there isn’t a firewall at that address, but in this case I knew that a) he did have access, b) that was the correct IP address, and c) it worked fine on my machine, so it was setup correctly. As I...
Connecting to and Managing Cisco Firewalls
Also see “Allow Remote Management” KB ID 0000075 Problem To connect to and manage a Cisco firewall you need three things, To be in possession of a password, (and in some cases a username). Have the ‘Method of Access granted to you’ (or have physical access to the firewall). Know a ‘Method of Access’ to the firewall for management. Cisco Firewall Passwords Unless your firewall is brand new (in which...
FirePOWER: ‘No Authentication Required’ No Usernames
KB ID 0001460 Problem When attempting to track Users with FirePOWER, the FMC would not show any usernames? Solution Theres a lot of reasons this might not work, let’s take a look at a few of them. Firstly make sure the server running the ‘user agent’ is listed under System >Integration > Identity Sources > User Agent. It probably goes without saying, but over on server running the user agent, make sure it...
Cisco Firewalls and PING
KB ID 0000351 Problem With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside. OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection...
Cisco ASA: VPNs With Overlapping Subnets
KB ID 0001446 Problem I’ve seen this pop up a few times in forums, and I’ve even seen people post “It cant be done, you will need to change one of the subnets,” but to be honest, it’s not that difficult. We simply have to do some NAT. This is the bit people struggle with, with VPNs usually we need to STOP NAT being applied to VPN traffic, and we still do, we simply NAT the traffic before we sent it over...
Cisco ASA ‘Ping Source?’
KB ID 0001445 Problem To be honest, the title is a little misleading, on an ASA you can specify which interface to launch a ‘ping’ from, but that’s it. I found myself in a situation today where I was working on a client firewall and I was trying to bring up a VPN tunnel, and I did not have access to any of their machines, and nor did they, (hence the reason for the VPN tunnel!) Well we can’t use good old...
Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall
KB ID 0001428 Problem I got asked to put in a VPN for a client, this week, it went from a simple site to site, to a site to site with a Fortigate firewall at one end, to a VPN from and ASA to a Fortigate ‘through’ another ASA. It’s been a few years since I had to tunnel ‘through’ a firewall, and experience tells me, if you don’t have control of BOTH ends of a new VPN tunnel, anything that stops...
Cisco ASA: Group-Lock WARNING
KB ID 0001423 Problem You will see this error if you are pasting configuration into a Cisco firewall. This week I was manually converting an old 8.2 version firewalls configuration, to run on a modern (version 9) firewall, when I saw this; Petes-ASA(config)# username fred.bloggs attributes Petes-ASA(config-username)# group-lock value SOME-VALUE WARNING: tunnel-group SOME-VALUE does not exist Solution The reason you are seeing this...